lolcreds

Public credential defaults and exposure patterns for authorized security testing.

HashiCorp Consul

HashiCorpother5 credentials

Credentials5 documented
01

Unauthenticated HTTP/DNS/Service Discovery Access

consul / unauthenticated-default

Consul ACL enforcement is disabled until ACLs are enabled and bootstrapped. In ACL-disabled deployments, HTTP API, DNS, service catalog, health, and KV access can be available without an ACL token depending on listener exposure.

no authsecretusername/password

Unauthenticated access

open default
no authentication required
username
none
password
none

Location

public interface
Consul HTTP API :8500, DNS :8600, gRPC/API listeners

Consul service discovery, catalog, health, KV, and agent endpoints when ACLs are disabled

config file
/etc/consul.d/*.hcl, consul.hcl

acl.enabled, default_policy, tokens, addresses, ports, and bind/client_addr settings control no-auth exposure

logs

Consul agent startup logs and ACL bootstrap/status output

Notes

This represents no ACL token requirement, not a credential value. Impact depends on whether ACLs are enabled, default policy, bind/client addresses, mesh exposure, and network filtering.

02

Consul ACL Token

consul / acl-token

Consul ACL tokens authorize service discovery, KV, intentions, service mesh, and administrative operations. Bootstrap and management tokens are especially sensitive.

generated on installuser definedsecrettoken

Looks like

pattern
pattern

UUID-style Consul ACL token secret commonly emitted by bootstrap/token create commands

^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$

Location

http header
X-Consul-Token

Consul HTTP API ACL token header

config file
/etc/consul.d/*.hcl, consul.hcl

agent tokens, default tokens, replication tokens, and ACL configuration

environment
CONSUL_HTTP_TOKEN, CONSUL_HTTP_AUTH
secret store

Vault, Kubernetes Secrets, Nomad variables, and CI/CD secret stores

source code

Terraform providers, deployment repos, Helm values, and integration tests

logs

agent logs, API traces, and bootstrap command output

03

Gossip Encryption Key

consul / gossip-encryption-key

Consul agents can use a shared gossip encryption key to protect LAN/WAN gossip traffic. The key is a cluster-wide secret distributed to agents.

generated on installuser definedsecretsecret value

Looks like

pattern
pattern

base64-like Consul gossip encryption key generated by consul keygen; context identifies the value

^[A-Za-z0-9+/]{32,}={0,2}$

Location

config file
/etc/consul.d/*.hcl

encrypt setting and keyring material

environment
CONSUL_ENCRYPT
secret store

Kubernetes Secrets, Vault, Nomad variables, and configuration vaults

source code

cluster bootstrap scripts and IaC modules

logs

agent startup logs and debug output

04

TLS Certificate / Private Key

consul / tls-cert-and-private-key

Consul can use TLS for RPC, HTTPS API, and mTLS between agents. Private keys and CA material authenticate agents and clients.

generated on installuser definedsecretkey pair

Looks like

pattern
pattern

private key material for Consul agent, server, client, or CA TLS authentication

-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----

Location

config file
/etc/consul.d/, /opt/consul/tls/

TLS cert_file, key_file, ca_file, and auto-encrypt settings

secret store

Vault PKI, Kubernetes Secrets, and certificate stores

artifact

cluster backups, support bundles, and exported CA material

05

Service Mesh, KV, and Integration Secrets

consul / service-mesh-and-integration-secrets

Consul deployments may store service mesh certificates, Connect CA keys, Consul KV secrets, cloud auto-join credentials, and integration tokens.

generated on installuser definedsecretsecret value

Location

database

Consul state store, KV entries, ACL policies, and Connect CA state

config file

agent configs, service definitions, cloud auto-join settings, and sync integrations

secret store

Vault, Kubernetes Secrets, and external secret stores

logs

Connect, ACL, federation, and sync logs

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.